Auto Thumbnailer

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb() function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

AI Analysis

Arbitrary file upload vulnerability due to missing file type validation

Basic Information

ID CVE-2025-12154

Source Wordfence

Published Dec 5, 2025 at 05:31

Affected Product

Vendor moderntribe

Product Auto Thumbnailer

Version *

Affected Versions moderntribe Auto Thumbnailer *

CWE Classification

CWE-434

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor moderntribe

Product Auto Thumbnailer

Version 1.0

References

{
    "lastseen": "",
    "description": "The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb() function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.",
    "published": "2025-12-05T05:31:29.082Z",
    "modified": "2025-12-05T05:31:29.082Z",
    "type": "cve",
    "title": "Auto Thumbnailer <= 1.0 - Authenticated (Contributor+) Arbitrary File Upload",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7c98191-bf17-4e94-88cc-ad385b1fe97d?source=cve\nhttps://wordpress.org/plugins/auto-thumbnailer/",
    "id": "CVE-2025-12154",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "moderntribe Auto Thumbnailer *",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Auto Thumbnailer",
    "version": "*",
    "vendor": "moderntribe",
    "ai_description": "Arbitrary file upload vulnerability due to missing file type validation",
    "ai_severity": "High",
    "ai_vendor": "moderntribe",
    "ai_product": "Auto Thumbnailer",
    "ai_version": "1.0",
    "ai_score": 8.8
}

Auto Thumbnailer <= 1.0 - Authenticated (Contributor+) Arbitrary File Upload_CVE-2025-12154